Difference between revisions of "Winter 2010 Posters/Certs"

From CDOT Wiki
Jump to: navigation, search
(The Koji Certification Process)
(Koji Cert Components)
Line 17: Line 17:
  
  
'''Koji Certificate Authority'''
+
* '''Koji Certificate Authority'''
  
  
'''Koji Server Cert'''
+
* '''Koji Server Cert'''
  
  
'''Koji Builder Cert'''
+
* '''Koji Builder Cert'''
  
  
Together, these certs allow the builders to communicate with the koji hub and visa versa. After researching and a bit of tweaking, I managed to utilize a concept from  Fedora Projects website (http://fedoraproject.org/wiki/Koji/ServerHowTo) and created a script which would make minimal effort for anyone making multiple certs.  
+
Together, these certs allow the builders to communicate with the koji hub and visa versa. After researching and a bit of tweaking, I managed to utilize a concept from  Fedora Projects website (http://fedoraproject.org/wiki/Koji/ServerHowTo) and created a script which would make minimal effort for anyone making multiple certs, or for anyone who would rather quickly make a cert than learn the process.
 +
 
 +
= How to use the script=
 +
 
 +
I managed to break the code down into 2 separate pieces. One for making the CA (Certificate Authority) and one for making the certs for the different users/builders you would like configured. The way my script differs from the original is that it uses the variables passed to it as the default commonName in the ssl.cnf file.
  
I managed to break the code down into 2 separate peices. One for making the CA and one for making the certs for the different users. Now the way my script differs from the original is that it uses the variables passed to it as the default commonName in the ssl.cnf file.
 
  
 
For example, when executing my script to create a cert for a new user...lets say "kojiuser1":
 
For example, when executing my script to create a cert for a new user...lets say "kojiuser1":
  
#./certscript kojiuser1
+
 
 +
#''./certscript kojiuser1''
 +
 
 +
 
  
 
The script as usual asks the various questions about where you are from and the OU name and the province etc, etc, but is then followed by the question of what the commonName should be. This name and/or the OU name should always be different from any other certs already created or you will get a TXT_ error. My script makes pressing enter easier by allowing you to press enter knowing that the commonName will be (by default).. "kojiuser1". Now this may not seem like anything huge for the creation of one user but what if we were creating multiple users (which was the case with me).
 
The script as usual asks the various questions about where you are from and the OU name and the province etc, etc, but is then followed by the question of what the commonName should be. This name and/or the OU name should always be different from any other certs already created or you will get a TXT_ error. My script makes pressing enter easier by allowing you to press enter knowing that the commonName will be (by default).. "kojiuser1". Now this may not seem like anything huge for the creation of one user but what if we were creating multiple users (which was the case with me).
Line 39: Line 45:
  
  
#for user in arm{1..25}
+
#''for user in arm{1..25}
 
>do
 
>do
 
>./certscript $user
 
>./certscript $user
 
>done
 
>done
 +
''
 +
  
 
In addition, a folder called "confs" holds all the conf files used to make the certs, this makes backtracking easier. For now only one line gets modified but it leaves progression for future endeavours. The only time you need to press a key other than enter is when it asks if you want to sign the cert. Of course 95% of the script remains the same as before but this modification makes life one step easier and hence minimizes the length of the cert creation process.
 
In addition, a folder called "confs" holds all the conf files used to make the certs, this makes backtracking easier. For now only one line gets modified but it leaves progression for future endeavours. The only time you need to press a key other than enter is when it asks if you want to sign the cert. Of course 95% of the script remains the same as before but this modification makes life one step easier and hence minimizes the length of the cert creation process.
 +
 +
 +
= CERT EXAMPLE=
 +
 +
Here is an example of a tweaked ssl.cnf file:
 +
 +
''
 +
OME                    = .
 +
RANDFILE                = .rand
 +
 +
[ca]
 +
default_ca              = ca_default
 +
 +
[ca_default]
 +
dir                    = .
 +
certs                  = $dir/certs
 +
crl_dir                = $dir/crl
 +
database                = $dir/index.txt
 +
new_certs_dir          = $dir/newcerts
 +
certificate            = $dir/%s_ca_cert.pem
 +
private_key            = $dir/private/%s_ca_key.pem
 +
serial                  = $dir/serial
 +
crl                    = $dir/crl.pem
 +
x509_extensions        = usr_cert
 +
name_opt                = ca_default
 +
cert_opt                = ca_default
 +
default_days            = 3650
 +
default_crl_days        = 30
 +
default_md              = md5
 +
preserve                = no
 +
policy                  = policy_match
 +
 +
[policy_match]
 +
countryName            = match
 +
stateOrProvinceName    = match
 +
organizationName        = match
 +
organizationalUnitName  = optional
 +
commonName              = supplied
 +
emailAddress            = optional
 +
 +
[req]
 +
default_bits            = 1024
 +
default_keyfile        = privkey.pem
 +
distinguished_name      = req_distinguished_name
 +
attributes              = req_attributes
 +
x509_extensions        = v3_ca # The extentions to add to the self signed cert
 +
string_mask            = MASK:0x2002
 +
 +
[req_distinguished_name]
 +
countryName                    = Country Name (2 letter code)
 +
countryName_default            = CA                                                                                                                                       
 +
countryName_min                = 2
 +
countryName_max                = 2
 +
stateOrProvinceName            = State or Province Name (full name)
 +
stateOrProvinceName_default    = Ontario
 +
localityName                    = Locality Name (eg, city)
 +
localityName_default            = Toronto
 +
0.organizationName              = Organization Name (eg, company)
 +
0.organizationName_default      = Seneca CDOT
 +
organizationalUnitName          = Organizational Unit Name (eg, section)
 +
commonName                      = Common Name (eg, your name or your server\'s hostname)
 +
commonName_default              = hongkong
 +
commonName_max                  = 64
 +
emailAddress                    = Email Address
 +
emailAddress_max                = 64
 +
 +
[req_attributes]
 +
challengePassword              = A challenge password
 +
challengePassword_min          = 4
 +
challengePassword_max          = 20
 +
unstructuredName                = An optional company name
 +
 +
[usr_cert]
 +
basicConstraints                = CA:FALSE
 +
nsComment                      = "OpenSSL Generated Certificate"
 +
subjectKeyIdentifier            = hash
 +
authorityKeyIdentifier          = keyid,issuer:always
 +
 +
[v3_ca]
 +
subjectKeyIdentifier            = hash
 +
authorityKeyIdentifier          = keyid:always,issuer:always
 +
basicConstraints                = CA:true''

Revision as of 20:40, 17 April 2010

Project Name

Koji Certification Creation

Name

Sadiki Latty


Understanding the Koji Process

Before understanding the koji certification process, one must first understand the koji process. Koji utilizes various machines (virtual or physical) to build software packages for different architectures. We decided to create a koji builder scenario for our ARM based physical machines (openrd, sheeva plug) and our virtual machine (arm emulators). In order for these machines to perform these tasks we need a central monitoring system that can track progress accordingly, this is the kojihub. Before these builders can communicate with the hub they need to be authenticated and verified as authorized builders, and that is where koji certifications come in.

Koji Cert Components

Koji certs allow a koji builder to communicate with the koji hub. The various necessary components are as follows.


  • Koji Certificate Authority


  • Koji Server Cert


  • Koji Builder Cert


Together, these certs allow the builders to communicate with the koji hub and visa versa. After researching and a bit of tweaking, I managed to utilize a concept from Fedora Projects website (http://fedoraproject.org/wiki/Koji/ServerHowTo) and created a script which would make minimal effort for anyone making multiple certs, or for anyone who would rather quickly make a cert than learn the process.

How to use the script

I managed to break the code down into 2 separate pieces. One for making the CA (Certificate Authority) and one for making the certs for the different users/builders you would like configured. The way my script differs from the original is that it uses the variables passed to it as the default commonName in the ssl.cnf file.


For example, when executing my script to create a cert for a new user...lets say "kojiuser1":


  1. ./certscript kojiuser1


The script as usual asks the various questions about where you are from and the OU name and the province etc, etc, but is then followed by the question of what the commonName should be. This name and/or the OU name should always be different from any other certs already created or you will get a TXT_ error. My script makes pressing enter easier by allowing you to press enter knowing that the commonName will be (by default).. "kojiuser1". Now this may not seem like anything huge for the creation of one user but what if we were creating multiple users (which was the case with me).



  1. for user in arm{1..25}

>do >./certscript $user >done


In addition, a folder called "confs" holds all the conf files used to make the certs, this makes backtracking easier. For now only one line gets modified but it leaves progression for future endeavours. The only time you need to press a key other than enter is when it asks if you want to sign the cert. Of course 95% of the script remains the same as before but this modification makes life one step easier and hence minimizes the length of the cert creation process.


CERT EXAMPLE

Here is an example of a tweaked ssl.cnf file:

OME = . RANDFILE = .rand

[ca] default_ca = ca_default

[ca_default] dir = . certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/%s_ca_cert.pem private_key = $dir/private/%s_ca_key.pem serial = $dir/serial crl = $dir/crl.pem x509_extensions = usr_cert name_opt = ca_default cert_opt = ca_default default_days = 3650 default_crl_days = 30 default_md = md5 preserve = no policy = policy_match

[policy_match] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional

[req] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = MASK:0x2002

[req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = CA countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Ontario localityName = Locality Name (eg, city) localityName_default = Toronto 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Seneca CDOT organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your name or your server\'s hostname) commonName_default = hongkong commonName_max = 64 emailAddress = Email Address emailAddress_max = 64

[req_attributes] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name

[usr_cert] basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always

[v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true